What is the role required to add an IAM policy binding to a Google Pub/Sub topic?

1
votes

I'm trying to follow these instructions, https://cloud.google.com/pubsub/docs/dead-letter-topics#assigning_the_publisher_role, to grant Pub/Sub permission to publish messages to a dead-letter queue, but I'm encountering a PERMISSION_DENIED error:

gcloud pubsub topics add-iam-policy-binding my-dead-letter-topic --member="serviceAccount:$PUBSUB_SERVICE_ACCOUNT" --role="roles/pubsub.publisher"
ERROR: (gcloud.pubsub.topics.add-iam-policy-binding) PERMISSION_DENIED: User not authorized to perform this action.

Helpfully, the Google Cloud console shows that I need the pubsub.topics.setIamPolicy permission:

enter image description here

My question is: how would I go about acquiring that permission? Would I have to be a project IAM admin (cf. You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy)?

1
gcloudgoogle-cloud-pubsubgoogle-iam

1 Answers

2
votes

Yes, exactly. You'll need to be assigned one of the roles that contains the resourcemanager.projects.setIamPolicy permission. As you pointed out, the answer to You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy outlines the different role options.

Project IAM Admin is recommended because it's the most specific role you can be granted to be able to set the IAM policy.